Skip to main content

CVE-2026-33311

| EUVDEUVD-2026-14182 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
4.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.7 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 19, 2026 - 18:00 euvd
EUVD-2026-14182
Analysis Generated
Mar 19, 2026 - 18:00 vuln.today
CVE Published
Mar 19, 2026 - 17:49 nvd
MEDIUM 4.7

DescriptionGitHub Advisory

Summary

SVG attribute values derived from user-supplied options (backgroundColor, fontFamily, textColor) were not XML-escaped before interpolation into SVG output. This could allow Cross-Site Scripting (XSS) when applications pass untrusted input to createAvatar() and serve the resulting SVG inline or with Content-Type: image/svg+xml.

Affected packages

  • @dicebear/core - backgroundColor option values interpolated into SVG attributes without escaping (affects solid and gradientLinear background types)
  • @dicebear/initials - fontFamily and textColor option values interpolated into SVG attributes without escaping

Fix

All affected SVG attribute values are now properly escaped using XML entity encoding. Users should upgrade to the listed patched versions.

Mitigating factors

  • Applications that validate input against the library's JSON Schema before passing it to createAvatar() are not affected
  • The DiceBear CLI validates input via AJV and was not vulnerable
  • Exploitation requires that an application passes untrusted, unvalidated external input directly as option values

AnalysisAI

DiceBear avatar generation libraries (@dicebear/core and @dicebear/initials) are vulnerable to stored XSS through unescaped SVG attributes when user-supplied options like backgroundColor, fontFamily, and textColor are directly interpolated into SVG output. Attackers can inject malicious JavaScript that executes when the resulting SVG is rendered inline or served with SVG content-type, affecting any application that passes untrusted input to the createAvatar() function. No patch is currently available.

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

Share

CVE-2026-33311 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy